In the previous blog article, we looked at Israel’s cyber capabilities, this article explains North Korea’s cyber warfare exploits and campaigns in the last 10 years.
When Kim Jong-un assumed power in 2011, the Democratic People’s Republic of Korea (DPRK), better known globally as North Korea, had barely any connection to the Internet. While it is still true that the country is effectively a hermit kingdom, prior to Kim Jong-un the country’s isolation both self-imposed and by the global body as a whole through sanctions, was as much of a hermit as could be imagined. What changed then to warrant the nation being placed with the rest of the world’s prominent nation-state threat actors?
Firstly, Kim Jung-un studied computer science at the International School of Bern. His studies likely prompted the future ruler of North Korea to see the potential in a cyber army set up to promote the nation’s interests and target its geopolitical enemies. Secondly, as a result of the small nations’ limited friends in China and Russia, the smaller country is able to send promising candidates to those countries for cyber warfare training. To further bolster the small nation’s cyber warfare capabilities two colleges have also been set up to help train candidates in the dark arts of nation-state hacking and cyber warfare.
As it stands today North Korea has proven it is not only capable of conducting cyber warfare and cyber espionage but has proven incredibly effective at targeting financial institutions. Billions have been stolen by North Korean state-sponsored groups in both fiat currency and cryptocurrency. To detail the entirety of North Korea’s cyber warfare activities would be a Herculean task; rather this article is intended to provide you with the highlights that show how effective and multi-faceted the nation’s hackers are. Likewise, providing a brief tactical view before the case studies seems unwise given that North Korean operations are not focused on cyber espionage or theft of intellectual property but as a means to finance weapons programs and circumvent sanctions. For that reason, a tactical overview will be provided in the conclusion.
Sony Pictures Hack
Target: Sony Pictures Entertainment
Motivation: Retaliation for the release of a movie deemed offensive to the North Korean Government, which later morphed into an extortion attempt.
Outcome: While North Korean cyber warfare and espionage activities were occurring well before the attack, this hack brought the public’s attention to the abilities of the North Koreans. In all honesty, even with public attention now firmly place on North Korea it did little to stop state-sponsored activities.
Summary: In 2014, Sony Pictures Entertainment was hacked for what was first thought as retaliation for the release of a movie called the Interview, which is a comedy but was deemed by the North Korean state to be offensive. The hackers managed to steal sensitive emails from high-level executives within the company and erase corporate data. The result of the hack was that Sony Pictures Entertainment had to rebuild its entire IT infrastructure.
That is not the whole picture though. Given that the small nation has an active nuclear weapons program that costs a lot of money to keep up and running, not to mention the ballistic missile program to deliver nuclear payloads, the country needs money. The country’s economy is hampered by international sanctions to hobble the nuclear weapons programs so any opportunity to get money, albeit illegally is taken. The hackers behind the Sony hack attempted to extort the company for 1.3 billion USD.
The US Justice Department indicted three of the hackers responsible, one of which Park Jin Hyok has been linked to North Korea’s intelligence service. They were also found to be behind a theft of $75 million USD from a Slovenian cryptocurrency company and 11.8 million USD of digital currency from a New York financial services company. Further, state attorneys believe they were plotting to steal more than 1.2 billion USD from banks in Vietnam, Mexico, Malta, and other places. Commenting on the case, Tracy L. Wilkinson, acting U.S. attorney for the Central District of California, said,
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering…The conduct detailed in the indictment is the acts of a criminal nation-state that has stopped at nothing to exact revenge and obtain money to prop up its regime.”
Bangladesh Bank Heist
Target: Bangladesh’s National Bank
Motivation: The cyber attack was an attempt to steal approximately 1 billion USD.
Outcome: While only 81 million USD was stolen, the attack showed that Lazarus Group, North Korea’s premier state-sponsored group, could target, infiltrate, and compromise even some of the most secure systems in the world.
Summary: The attack started like so many with a spear phishing campaign with an email sent to several of the bank’s employees. The email in question was from a job seeker calling himself Rasel Ahlam. His polite inquiry included an invitation to download his CV and cover letter from a website. In reality, of course, Rasel did not exist, he was simply an assumed identity by the Lazarus Group, according to FBI investigators. At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the malware payloads hidden inside.
FBI Investigators summarized the attack, stating,
“In February 2016, the Conspiracy stole $81 million from Bangladesh Bank. As part of the cyber-heist, the Conspiracy accessed the bank’s computer terminals that interfaced with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) communication system after compromising the bank’s computer network with spear-phishing emails, and then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries. The Conspiracy attempted to and did gain access to several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion through such operations.”
How the stolen funds are laundered and used by North Korea also makes for interesting reading but that is beyond the scope of this article. The important thing to take from this incident is that North Korean state-sponsored groups blur the traditional lines between nation-state cyber war and cyber espionage and financially motivated hackers. While they conduct typical nation-state operations they are also more than willing to extort and steal money to serve secondary objectives, if the theft of money is not the primary objective.
VHD Ransomware
Target: Multiple enterprise networks in an attempt to extort funds like known financially motivated ransomware operators had done in the past.
Motivation: As with the previous case studies, the motivation was financial gain for the North Korean government.
Outcome: Lazarus group proved that it was not only capable of stealing funds directly from financial institutions but could create ransomware and use malware like Ransomware-as-a-Service gangs or human-operated ransomware operations.
Summary: Security researchers began seeing samples of previously undiscovered ransomware making the rounds. The samples were analyzed and given the name VHD, namely due to certain code strings found in the sample code analyzed by researchers. Initially, it was safe to assume that the new ransomware was the work of a financially motivated hacker group or known ransomware gang. Some researchers noted that victims of VHD resided mainly within the Asia Pacific (APAC) region, the main focal point of many of Lazarus’ operations which prompted some researchers to ask if they might be behind the attacks.
Park Jin Hyok, yes the same individual, indicted for the Sony hack and a known Lazarus operative, has experience with ransomware creation and deployment. Regarding WannaCry, the ransomware that crippled the British National Health Service, the FBI has stated,
“Park and his co-conspirators were linked to these attacks, intrusions, and other malicious cyber-enabled activities through a thorough investigation that identified and traced: email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases, malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. Some of this malicious infrastructure was used across multiple instances of the malicious activities described herein. Taken together, these connections and signatures—revealed in charts attached to the criminal complaint—show that the attacks and intrusions were perpetrated by the same actors.”
Returning to VHD, researchers began following the money and found multiple links to cryptocurrency wallets believed to be used by Lazarus and other North Korean state-sponsored groups.
Where there is a will, there is a way.
Cyber security firms such as LMNTRIX have noticed first-hand the tools, tactics, and proceadures of North Korean state-sponsored groups, and reported that Lazarus group consistently executes cybercriminal operations to generate adequate revenue to bypass sanctions while targeting both allied governments such as South Korea, Japanese, U.S.A and minor democratic governments’ infrastructure in order to collect information and to create disorder.
Therefore, North Korea’s actions in cyberspace serve to fulfill revenue generation, information, and intelligence gathering. This is not to say that creating disorder is not an important aim of the heavily sanctioned nation.